BSA-044_Security_update_for_opensaml2.mdwn 1.35 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
[[!meta date="2011-08-06 04:38:50 UTC"]]
	Russ Allbery uploaded new packages for opensaml2 which fixed the
	following security problems:

	CVE-2011-1411

	    Juraj Somorovsky, Andreas Mayer, Meiko Jensen, Florian Kohlar, Marco
	    Kampmann and Joerg Schwenk discovered that OpenSAML is vulnerable to
	    an XML signature wrapping attack that could allow a remote,
	    unauthenticated attacker to craft messages that can be successfully
	    verified but contain arbitrary content.  This may allow an attacker
	    to subvert the security of software using OpenSAML and supply an
	    unauthenticated login identity and data under the guise of a trusted
	    issuer.

	For the lenny-backports distribution, this problem has been fixed in
	2.3-2+squeeze1~bpo50+1.

	We recommend that you upgrade your opensaml2 packages and then restart
	shibd and Apache if you have Shibboleth installed as well.

	If you don't use pinning (see [1]) you have to update the package
	manually via "apt-get -t lenny-backports install <packagelist>" with
	the packagelist of your installed packages affected by this update.
25
	[1] <https://backports.debian.org/Instructions>
26 27 28 29 30 31 32 33

	We recommend to pin (in /etc/apt/preferences) the backports repository
	to 200 so that new versions of installed  backports will be installed
	automatically.

	  Package: *
	  Pin: release a=lenny-backports
	  Pin-Priority: 200